This is the eighth meeting that the Security Issues Forum has held
regarding the security of the NII. The first seven meetings were used as a
basis for our Security Issues Forum draft report, "NII Security: The
Federal Role." We hope this meeting will help us finalize that report and
move along to other things.

It is my view that we have come a long way in identifying the issues and
the areas of common concern, both to the private sector and to the
government. As a user of the NII, the government has significant interest
in its security and I think our report reflects that interest.

At the same time, we have long acknowledged that the NII is to be
designed, built, owned and operated by the private sector and that the
private sector, therefore, has to be a full partner, if not more so, than
the government in assuring the security of the NII. The comments that we
have received on the report reinforce for us that assumption, that belief.

Today we're going to focus on three areas of the draft report that
received the most comments and, not surprisingly, the most attention in the
press and with the private sector generally: security products and their
certification; infrastructure reliability and vulnerability, including
threats and risks; and cryptography. We will have one panel for each of
these issues.

Our witnesses on each panel were selected from those who commented on the report. This will give them an opportunity not only -- and I hope I use
the term "not only" as a guide -- don't just repeat what you've told us
before but use this opportunity to comment on what others have said and to
raise other kinds of concerns so that we're not simply repeating what we've
already had the benefit of considering.

The first panel, which you see assembled before you, will discuss
security, product certification, whether certification or quality assurance
is necessary, and, if so, who should be responsible.

The witnesses for the first panel are from the Computer Systems Policy
Project, Information Technology Industry Council, and the Information
Industry Association. Our government representatives are from the National
Institute of Standards and Technology and the Federal Networking Council.

The second panel will discuss infrastructure reliability, what are the
risks associated with relying on the NII and are they acceptable. If they
are not acceptable, how are they to be mitigated. Witnesses will be from
GTE, the Bankers Roundtable, and the U.S. Council for International
Business. Our government representatives will be from the National
Communications System and the Departments of Defense and Justice.

The third panel will address Cryptography and the questions surrounding
the proper balance between the private sector's confidentiality and privacy
rights and the government's national security and law enforcement public
safety responsibilities. Witnesses include any and all of those from the
previous panel and the government representatives are from Justice, the
National Security Council and the Office of Science and Policy in the White
House and the State Department.

Now, although I am a lawyer and therefore feel comfortable in hearings
with all the trappings of due process, I am hoping that we will have a much
more informal-type operation here. As I said, I would like to encourage
you to comment on other submissions. I hope we will have dialogue.

Do not think of me as sitting at this table on this panel. See me
somewhere in between, as having useful conversations among and between all
of us.

As we begin each panel I'm going to ask the government representatives to
introduce themselves -- without an opening statement, gentlemen -- then
I'll ask the witnesses to do the same and offer whatever statements they
wish. Thereafter you can ask questions, you can comment, you can engage in
dialogue and it will be quite wide open.

The gentleman sitting there with the mouthpiece on is doing us yoeman's
service because many of the agency representatives who have an interest in
this could not be with us today and we thought it best to keep a transcript
of the proceedings.

I think I have handled all of the administrative matters that I've been
told to address so let me start by having the first panel discussing
product certification.

Dennis, do you want to start and introduce yourself?
MR. STEINAUER: No opening statements, huh?
(Laughter.)
MR. STEINAUER: I'm Dennis Steinauer. I work at the National Institute of
Standards and Technology. Actually, I work for Stu Katzke in the Computer
Security Division but I also co-chair the Federal Networking Council with
Steve Squires.

One of our concerns in the Federal Networking Council is making sure that
government use of key elements of the NII, with a particular focus on the
Internet, can be done in a safe and secure manner.

MS. KATZEN: Do we have a particular order? Should I start with Oliver?
MR. SMOOT: Of course, we could do the same thing. Rip up our prepared
statements, because I think at least we were going to say exactly what we
said before. But having been given this invitation, I'll say something
different.

I began to get seriously involved in standards in 1986 for ITIC.

Particularly since the Europeans launched their single market program the
attention to standards and to certification or accreditation has increased
many fold. We believe that we have made some false starts and gone down
some wrong roads in this. And, in particular, we believe that it's time to
start taking apart some of the certification and accreditation layers that
have been added to the business process and go back to a more fundamental
assurance.

Basically, our position generally with regard to products -- not security
or NII products -- is that first, suppliers want satisfied customers
because they want repeat business. And the way to get that in this area is
for the supplier to be able to test the product once at a location of the
supplier's choosing and have that test result accepted world wide,
preferably through supplier declaration. So if you want to say that you
can form to any standard you should do so and you should be made to stand
up to meeting that test.

In many countries of the world there are lots of other bodies that like to
help you out by testing and certifying your product. If this is useful to
your customer then it is useful to the supplier because it makes for a
satisfied customer. But as a general proposition, we don't see the need
for or the value of a priori third party testing for products. And when we
look at the area of security, frankly, we don't see any different
considerations applying them for other products.

I think that's pretty much the basis of our position. And I just re-read
your report and I think it pretty much covers the issues that were raised
in the report.

MS. KATZEN: Thank you very much.

Dan?
MR. DUNCAN: Well, I first started out here in Washington working for a
very respected member of the conference who once told me that if you have a
good story to tell keep telling it.

(Laughter.)
MR. DUNCAN: So I am going to briefly review what we had submitted as
written comments and update on a couple of things that I think will show
the progress the private sector can make in important areas, including
developing standards for security or copyright management information
systems. Because that, in my opinion, is what the real crux of the problem
comes down to in the NII, and that is the need to protect information that
is transferred over electronic networks, specifically information that is
proprietary.

I think that is where we need to draw a line as well, between the private
sector and its role in the NII and the government and its role in the NII.

For, in fact, the role of the government in the NII should make as much
information as is held in the hands of the government accessible to as many
people as possible.

The importance of security is certainly there for intellectual property
holders. I think that is one reason why you've seen a great endorsement
from the industry of current copyright legislation that's before Congress
that proposed the inclusion of a new Chapter 12 under Title 17 of the U.S.

Code, which would put both criminal and civil penalties in place for those
who tamper with both copyright management information and the systems which
have been put in place to protect the copyrighted works that will go out
over the NII.

We, in the industry view this as a great step forward. In fact, it is
relevant to one of our earlier comments which we submitted back in
September, that we need to have a strengthening of criminal laws that will
prevent tampering with copyright management devices.

We believe the government should have a limited role in this area. We
believe that the most proper role for government would be in educating the
general public and perhaps also working with various information industry
sectors to make certain they are aware of advances that are going on in
other sectors of the industry.

Industry itself is working in that manner. IIA, back in October of last
year, began the process of trying to develop a new group that would look
from many industry segments at the idea of an interoperable standard for
copyright management technologies which would include things like
encryption, payment mechanisms, copyright management information and track
information for use on the NII. We believe that industry can come to
agreement on this but we believe it is an agreement in which industry must
take the lead. Industry is best informed of the developments of these
technologies, is best able to respond to market demands.

We did invite members from NIST to attend an organizational meeting that
we had just a week and a half ago in Washington. Unfortunately, because of
the snow storm and many other factors, I don't believe they were able to be
there. But we want to encourage their involvement in listening to industry
and helping guide us in our talks and how best to reach a consensus on
facilitating their operations.

Government is and is going to be increasingly a large user of the NII.

The government is generally not very good at innovating technologies.

That's why we have recommended in our comments that as government finds its
needs in cryptography or in protecting information or authenticating
information to put out on the NII that it go to private sector products
that are generally already acceptable in the marketplace and are already in
use. They are ones that can easily be substituted and adapted to.

We feel that if government locks in a certain kind of technology the
danger is that it will stay locked there for many years to come and that
will not serve either the public's needs or the government's needs,
especially if you consider how easily some of these technologies after a
few years in the marketplace can be broken into.

We do recognize the special government need for protecting its information
when it comes to areas of national security, protecting the national
interest and certainly protecting the privacy of individual citizens. But
we do not believe the government should have a role in oversight if that is
going to lead to either a direct involvement in the standard setting
process or regulation of standards that may be developed in the private
sector.

In fact, we think history has proven that deregulation spurs development
and innovation in this area. We think that's one reason why there are so
many deregulatory features in the recent Telecommunications Act that was
passed by Congress, a recognition that that industry can only grow if
government gets a more limited role in trying to determine how that sector
of the economy should grow.

Again, I would emphasize that as government determines its needs to
protect certain kinds of information that it make certain that it keep in
mind the principles that lie behind the Paperwork Reduction Act of 1995,
and that is the government's role in this area is to make more information
available, not less information available.

MS. KATZEN: Thank you.

The other Dan.

MR. HOYDYSH: I want to give a little bit of an introductory speech after
these two presentations, otherwise I won't have much to say.

I'm Dan Hoydysh. I work for the Unisys Corporation but I'm here to
represent the Computer Systems Policy Project, a coalition of 13 chief
executive officers. I say that only to give some perspective to the
concern that we have. Our CSPP companies employ over 815,000 people
worldwide and generate about $216 billion of revenue annually, 16 percent
of which is generated from overseas transactions. So while I agree with
everything that has been said before and would reiterate some of these
points I maybe have a little bit different spin or at least a different
perspective on this.

We believe and we testified earlier on in our comments in very simple and
straightforward terms that it's the role of the private sector to provide
solutions that are acceptable to customers. And we also indicated that we
thought it was premature to begin talking about developing any kind of
certification process. We think that certification, as has been said, has
to be market driven, has to be voluntary and, to the maximum extent
possible, using existing mechanisms for which there are ample precedents.

We thought it was premature because as far as we can see at this point
there is no real demand in the marketplace for certification on security
systems. If that demand were to develop there certainly exist mechanisms
through which it could be handled.

The other issue that I would like to touch upon is the fact that we're
here talking about NII but it is our position that the NII can not exist in
isolation. It is really an NII/GII issue. And the NII becomes GII as soon
as it moves outside the U.S., and that happens hundreds of thousands of
times on a daily basis.

We think it's premature to discuss things like certification because we
have yet to really resolve the question of how we will be able to deal with
security in terms of international transactions; how we're going to be able
to deal with interoperable security solutions that are going to work both
in the U.S. and in Europe or other parts of the world.

To some degree I think the agenda recognizes that problem. Because if we
were strictly talking about what happens in the U.S. the last panel on
cryptography would probably be less interesting than it might otherwise be
on the theory that there are no plans to impose restrictions on
cryptography in the U.S.

But I think there is recognition and I think one of the things we would
like to see and we've certainly commented on before is a clear recognition
that some of these issues can not fully be resolved and must be resolved on
in a global context.

MS. KATZEN: I think it's up to you, gentlemen.

MR. HOYDYSH: One more. I will throw one thing back at the government.

In the report there was a statement about promoting security to which we
reacted. We were commenting to what was in it. I guess it would be useful
maybe to hear something back as to what more maybe the government had in
mind. What was behind that statement on the certification process as well.

MS. KATZEN: If you'd like to hold that thought for just a second, what I
heard in the last few minutes was that it's premature to think about this
issue. And if one were to think about this issue it certainly shouldn't be
done. And even if it were to be done it certainly shouldn't be done by the
government. Any comments?
MR. STEINAUER: I guess one of the problems might very well be that I
think there's a difference in concept of what certification is.

Certification is probably an inappropriate word to have used in the report
itself. I think certification implies that there's something out there, if
you don't have that seal of approval you can't use it. That's it's a
proscriptive process.

I think in most cases where they were talking about security technology or
other types of technology in general, that the real concern is that when
there are either standards or accepted specifications for a product or a
certain type of technology, whether it's for interoperability purposes or
for some other type of purposes, such specifications have been agreed upon
in whatever community chooses to use those.

Then we feel there is a need by some suppliers and some users,
particularly government users and I would suspect also private sector as
well -- but there's no question that government users often look to some
sort of a validation, which is the term we're using, that given products
actually implement a given specification the way they say they do.

Now, I'll let you comment about the value of self-certification. I think
we agree that that is one of the spectrum of types of validations or
certifications -- pick your word here -- that very well may be appropriate.

In other cases organizations or buyers may say 'No, I really need
something a little more than just the vendor saying that this is real good
stuff.'
So I suspect that a lot of this problem is what really is meant by
certification? And I don't think we really view it at this point as
something nearly as proscriptive as the name makes it sound.

MR. KATZKE: Let me give you some history on this, where we were coming
from in the testing.

DOD developed a number of standards in the past, a signature standard and
other types of standards which were very much functionally oriented
standards and very easy to test. In fact, over the years we had developed
automated testing techniques -- have their products tested, give the test
results and then we'd issue a certificate saying 'This conformed to the
functional standard.'
We moved from that into a standard which was called "Security Requirements Directed Modules, FIPS 140-1." That became a little bit more complex. In meeting that standard we used something in NIST that NIST has available to it called "The National Voluntary Laboratory Accreditation Program," which allows NIST to set up third party testing services, commercial
organizations for any kind of testing, not just security testing, and used
that program very successfully in conjunction with the Canadians. We have
three labs now between the U.S. and Canada that are doing testing against
240-1.

We essentially step out of the way once this is set up. A vendor has a
product they want tested. They would go to the laboratory, make any
agreements that they have with the laboratory; the product gets tested; the
report comes to us; we look at the report; we put the U.S. Government
certificate on it and basically we issue the certificate. That can be a
discriminator in the market.

What we've done with security is that general security testing is very
difficult. It's very difficult to set up the objective tests. You need to
do one-of-a-kind testing of various kinds of products. Security may be
unique in that case. But I guess I feel that security testing is important
and difficult.

Let me give you an international perspective.

This problem is being faced by all governments internationally. We have
been working with the U.K, Germany, France, the Netherlands, the Canadians,
et cetera in trying to look at security testing. They have experience in
the U.K., Germany of setting up labs to do this kind of testing, the same
kind of deal. A vendor can take the product to the laboratory, have it
tested and get their certificate for it. And they've started addressing
the mutual recognition issues which are important to you.

My view is that we're going to have to have some kind of a testing
capability within this countryand then work out mutual recognition
agreements with other international countries. At least that's the way the
European model is in terms of mutual recognition.

We are also working on a common criteria which is sort of -- it's a very
general kind of criteria which you can do testing against which is very
important, again, for the security purposes. To develop tests for
one-of-a-kind things is very difficult. The criteria provides a framework
against which you can do testing. I don't want to get into the details of
that right now.

I think that the combination of the criteria with the National Voluntary
Laboratory Accreditation process and working with industry to set up a
forum where anybody, not just the government -- it could be standards
organizations like ANSI X-9 -- in fact, we were just talking with them
about it this week, ANSI X-9, about a testing program where industry groups
can also participate in this process. They can use the Navlab process to
work with labs to do tests against standards, specs, whatever they want to.

Once the labs have been accredited to do that it's a totally commercial
venture in which the developers would take their products to the labs, get
them tested, then these groups -- whoever sponsored the testing, would
approve the products that come out. That's one model that can be used.

MR. SQUIRES: Actually, there have been a couple of references to the way
things have been done before and to some extent it may have worked. To
another extent there are glaring areas where it hasn't worked so well.

The thing that occurred to me in listening to both sides of this
conversation is the fact that the world of Net is much different from the
world of NADS. Even though we've had a lot of information technology, I
think the world of the future, NII and GII, represents a fundamental
challenge to both the way the technology will be used and the way society
responds, particularly in this area.

What I'm curious about is the extent to which the people in the private
sector panel have been thinking about how they'd like to see things change
to deal with the way things are turning out to be done on the Net.

MS. KATZEN: The panel is welcome to comment.

MR. SMOOT: Give us an example.

MR. SQUIRES: For example, if you take a look at what happens today on the
Net: some group proposes a draft standard that gets widely and openly
discussed, prototype implementations are put up, versions are widely
distributed and intensive informal testing and evaluation takes place all
over the globe, very rapidly feedback occurs and the products get refined.

Is there anything wrong with that? Are there ways to improve that?
MR. SMOOT: I think it works real well in this context but I don't think
that the IETF context dominates those worlds.

I would assume if you asked Bell Corps -- they have a similar process that
has worked fairly well since we split up the AT&T system which accomplishes
the same end for their type of product.

I take it the basic thing you're saying is that since we're going into a
network dominated era you can't be as stand alone-ish and cowboy-ish about
products as you used to be. I can't think of anybody that I deal with who
disagrees with that view of the world. We all have to fit into the Net so
that we don't cause harm to the network in a sense other than putting too
much electricity down the wire.

I think the thrust of our comments generally and in this area are that we
don't see the need -- you summarized it very well -- a government
gatekeeper or even the need for a single set of private sector gatekeepers
unless the customer wants it.

MS. KATZEN: Let me push on that a little bit. Let's just assume for
purposes of this discussion that the government would have no role -- none,
zero, zilch -- in the setting of the standards or the certification, either
piece of that. If that were a given would you still say that there is no
need for standard setting or for certification? I heard -- I think it was
Dennis, or maybe it was Stuart -- say that gosh, for mutual recognition purp
oses you need to have some sort of outside validation. Customer
satisfaction may not be the sole criteria for global, let alone domestic
acceptance.

I also heard someone suggest that where standards are set -- I'm thinking
of, you know, railroad ties and all the trains go over the track without
having to come to an end of the line, stop and change their wheel
structures. Where things are set you can actually facilitate growth, you
can facilitate more transactions.

So let's just assume no government, no how, no way. Are you still saying
that there should be no standard setting and no certification except on an
individualistic, ad hoc, come as you get it type basis as long as you do
not harm to the network, if you want to add that?
MR. DUNCAN: That is not what I'm saying. What I said in the written
comments --
MS. KATZEN: I think it's important to do this because I suspect that some
fear of the government involvement caused people to pull back more than
they need.

MR. DUNCAN: As I mentioned, Sally, even as we are trying to get together
with various segments of the industry and this interoperable standard
setting facilitation, we're trying to get that done. We've invited NIST to
be a part of that.

We recognize that there is a certain amount of expertise and experience in
the rest of the government as well as what I mentioned earlier. The fact
of the matter is that government is an enormous user of this network, is
and will be. But there's a big difference, I think, between having the
government sitting at a table where standard facilitation is being
discussed as a participant in the network and having government sitting at
the table saying 'This is what we think we need to do and this is what we
think you need to do and then we will oversee all of this.' I think
there's a big difference between the two.

MR. HOYDYSH: To follow up, our testimony was -- we didn't say 'Don't do
anything ever.' We said it's premature. It's premature because we don't
see the market for that implementation. You can rest assured that when 80
percent of our customers say 'We want the government's seal of approval.'
we're going to go out and try and get the government's seal of approval.

We're saying let the market dictate how this develops. That's why the
question of timing is pretty important and it wasn't entirely clear what
your proposal was in terms of providing it.

The other thing I would say is that when you talk about mutual recognition
that assumes that you can export something. Right now we're limited in
what we can export because there isn't this overwhelming need.

The other factor that comes into play is that the government has a
particular need or angle with respect to security solutions that it might
not have with respect to other technical solutions. So the government
involvement in technical solutions standards or certification raises issues
that aren't raised with some other thing because there's a particular need
the government has to deal with, maybe they want to impose certain
limitations.

What we were saying primarily is it is premature to embark on some kind of
a structured process where we define the government is going to do this,
the government is going to do that. We're just on the first step of that
in terms of demand. We have to wait a while to see how things develop. We
didn't say in our thing that the government has absolutely no role.

MS. KATZEN: Is it also premature, if I hear you correctly, to have a
private sector certification process in place? You said there is no market
demand now for the government to give its seal of approval. Forget
government. Is there any sense that there may be a market demand or
otherwise for some sense of validation?
MR. HOYDYSH: In our particular market and from our companies I haven't
heard that mentioned.

MR. KATZKE: I mentioned just this week or last week when I went to the
ANSI X-9 meeting -- the reason I went down there is because they were
thinking of setting up their own testing capability and wanted to hear what
kind of things we were doing and how they might be able to piggyback on
some of the ideas that we had. We talked about this. It's a very broad
program.

I haven't gotten the word yet from our companies or from our people that
this is an issue.

MR. KATZKE: The X-9 group, our customers, our users, they're commercial
users -- the financial community -- and they're very interested in how to
do this.

MR. SQUIRES: The question that comes to mind then is if it is premature
how do you decide?
MR. HOYDYSH: It's premature but you have to tell us what is premature.

At least I think I'm saying it's premature to establish some kind of major
effort organizations or whatever.

What is it that you have in mind?
MR. SQUIRES: I'll tell you one practical thing that we're trying in the
context of the Federal Networking Council, and that is that a collection of
federal test beds and federal interest test beds are working together to
improve the information, security and some other interoperability features
of their Nets. These tend to be high performance Nets but they can also be
more typical performance Nets. But they tend to be operating in the gray
areas between the research community and something which is a full blown,
fully developed commercial product they're using.

They're taking results that come out of the normal research community
process as a prototype for what comes out of the normal collaboration
between the research community and the research sectors of industry, try to
understand how to really make them work in a fully interoperable way among
the different test beds. These are fully heterogeneous test beds. How to
add the security features to them and enhancements to them so that they can
improve their security and privacy.

And in the process we hope to learn how to make the transition between
sort of a research experimental enterprise and transition into commercial
practice. We're not quite sure where the boundary is.

One thing we have said is that we will be willing to experiment with the
NIST laboratory process by simply doing pilots if that community of users
has reason to believe that a certain collection of technologies really is
at the point where they're ready to proliferate and they have a pretty good
idea of what it needs but they no longer want to do it themselves, they'd
like to try to spin up a group that works with them to make them more
efficient. And they can also use those results for other sectors. That
seems to be the kind of process that might work. We don't know.

So here's a case where the Federal Networking Council has embarked on this
experimental technology and policy development because we're in this gray
area between the research community and the full-blown commercial
deployment.

MR. DUNCAN: I'm a little confused. The activity you just described, is
that something that's going on within the government and with government
employees involved or are you involving private sector companies?
MR. SQUIRES: It involves private sector.

MR. DUNCAN: Private sector contractors to the government agencies?
MR. SQUIRES: Yes. Because some of the federal networks and some of the
federal interest networks actually have a significant amount of private
sector involvement. For example, the NSF super computing centers, which is
some of the federal interest networks, is essentially the private sector.

But there is the NSF connection.

MR. DUNCAN: But they're developing these products for government use.

MR. SQUIRES: What they're doing is they're taking products out of the
research communities -- prototype products out of the research community,
what look like reasonable products -- commercial, off the shelf products,
but maybe using them early. Using them, say, in a more expansive way than
they might otherwise use them. And they're using them to try to improve
the security of the test beds.

MR. DUNCAN: One of the things we come in on that I would like to
emphasize is if these are products being created for government use,
basically the government is using them to put out government kinds of
information. And if you're thinking of doing something in the way of
standardizing across government entities in our view that is something that
could be a public good. And if you're doing it for the government then it
should be made public. And other parts of the society, especially private
industry developing products, ought to be able to know what you're up to
and have a right to whatever things you are developing. I think that's a
proper role for government to do.

I have no difficulty with you developing test bed models and developing
ideas for software products if you think there's a need on the part of
government to have those sort of products. But except in very rare cases
where they can not be made more available to the public, something they
could take a look at to see if they could improve, something that could
spur economic growth and development in this area because of national
security interests or because of protection of personal privacy or
whatever, they should be made open and available so they could then take
them and use them. I think that would be a good way to facilitate a
process by which everybody sort of knows what's going on in the
marketplace.

MS. KATZEN: Let me respond to Dan's question earlier about what did we
mean "being somewhat hesitant." I'm usually not that sort. Let me suggest
that there were at least two points that we were trying to advance.

One is following up on where Steve just was with the other Dan in terms of
making federal security products available to the private sector, the
sharing of information and facilitating of people using and developing
materials.

There was somebody who made a comment about the federal government isn't
very innovative. No, but every once in a while we have an idea or two and
if we do we ought to be sharing those. So that's part of one of it.

MR. KATZKE: Like, say, the Internet.

MS. KATZEN: The Internet, that was not a bad idea.

The second piece --
MR. DUNCAN: Although it's been more developed by the private sector.

MS. KATZEN: Absolutely.

MR. SQUIRES: And we took full advantage of it.

MR. DUNCAN: So did we.

MS. KATZEN: But the second part, which is the part that I was sort of
trying to pursue in my somewhat provocative questions early on, was the
concept that the government might be able to promote the development of
private sector certification standard setting efforts; promote the
convening at the table at which people are sitting to discuss their various
needs, as you welcomed in your comments. Everyone come to the table to
discuss the needs and to try to come to some resolution of this; government
promotion of the process. That would be done through private laboratories.

That would be done through private standard setting organizations.

That is why I was pushing on is it the fear of the government's
involvement that made everybody pull back and say 'No, we don't ever want
anything like this ever in our lifetime,' which would be a normal response
to government. 'I'm from OMB. I'm here to help you.' Ha, ha, ha is the
normal reaction that that gets.

But we honestly thought that there was a virtue to having standard setting
and certification done through the private sector and was looking to see if
there was a government role in promoting that private sector process. But
I'm not getting anything on that and that's why I feel so frustrated and
why I keep pushing on this issue.

MR. SMOOT: I don't think that that came through at all in the text.

Second, based on what you just said, let's totally separate standard
setting and everything else.

I think as maybe Steve, Stu and Dennis have said, we're entering an era
where developing and accepting and using standards is going to be much more
critical to the success of your product as the success of the network, the
NII or GII.

In that process, at least my members want everybody who has something to
say to be involved so that we come out with standards that are both
relevant to the marketplace and technically feasible and implementable at a
price that you can make a buck on. So we, for instance, given your
hypothetical earlier, we want the government involved heavily in the
standards setting process.

However, the clipper standard and the digital signature standards are
counter-examples to that. They are NIST issued standards without going to
the private sector. Turning, for instance, to the IETF in a way that is
very applicable to that kind of technology sort of does the standard
setting and implementation testing and certification, because you don't get
to have a final standard unless it actually works.

Or, most of the time it works because you're only doing limited testing.

That works very well. But one of the big problems that we see is
over-generalizing from that. That's sort of one side.

On the certification side, certification usually has been used to assure
somebody of something but it's not always true that certification is used
to assure that something definitely works. Frequently it is used to limit
market access or to control what goes on the market.

You are exactly right within the area of computer security. I believe
there is a significant concern in the private sector that a government run
certification program would be used to control what goes on the market,
whether for good reasons or for lack of resource reasons. You only have to
look at the experience with the Orange Book certification process at NSA
saying 'Gee, it was a big hurdle to jump through, cost a lot of money, took
a long time and I don't know of any company that made any money out of the
products that went through the process.'
MR. MC CONNELL: Unisys, in fact, is one of the only companies.

MR. HOYDYSH: You should see how well we've done.

(Laughter.)
MR. SMOOT: As a further example of all of that, perhaps for good reasons,
the European community developed a system of directives that are highly
dependent on standards and to some extent on requiring third party
certifications. So within the business community when you say
"certification" in a global context it has an overlay of governments, like
the EU, requiring certain things before you have access to their market.

They did this at least ostensibly so that they could pool together the 14
national markets -- now 20-some -- which have strong traditions of their
own product families, especially telecommunications. It's very hard work
but it has a whole lot of impacts outside of the European union.

The only reason we're having MRE talks with the European Union is because
of the market closing aspects of that. There is no technical or business
justification to do that for any other reason.

MS. KATZEN: That's very helpful. Thank you.

MR. DUNCAN: I still think we have to be realistic here. When the federal
government walks into a room with private industry and starts talking about
these issues it's like the 800 pound gorilla. Maybe Congress cut it down
to 750 pounds by the end of the year but it's still a very large player
here, not only because of the size but also because it is the government.

I think even when we talk about things like promoting standard setting by
the government I think that's when you begin to get into kind of a
dangerous area. I think it's proper for government for its own needs to
look to see if there are standard ways for the government to adapt
technology that works best for the government. As they do that they should
make that a very open process, they should make it a very open process, not
just to the benefit of the private sector but equally of benefit to the
general public who is going to be using, hopefully, the vast amount of the
information the government is creating and trying to manage or protect in
some manner to insure authentication.

But I think it's a much more proper role for government to listen to what
the private sector itself is doing. The private sector is not lagging
behind in trying to develop these technologies. There are a myriad of them
out there.

The private sector also clearly is not now lagging behind in the attempt
to try and come to the same sort of general agreement on how best to make
these things work better for the purpose of the private sector's needs and
also the customer's needs. Because, you know, as Ollie had mentioned
earlier, we only do this because we need to get a fair return on
investment. We need to make a buck. We are not developing technologies so
that they aren't going to be useful by people and still protect whatever
needs need to be protected to make sure they get accurate information, that
it's authentic, that it's at a fair price and that they can be assured that
what they're getting is what they looked for in the first place.

I think government can play an important role in that but I don't think
government should lead the way and bring industry into the room and say
'This is what you need to do now.'
It's great to have an educational forum. It's great for you to gauge
where things are in the marketplace. And if people from the private sector
come to you and say 'We really need government to step in at this point and
do this then I think that's an appropriate time for them to get much more
involved. Until that comes, however, I think we have a tendency to chill
progress and innovation as opposed to aiding progress and innovation.

MR. HOYDYSH: When Sally indicated there were two points as to what you
meant by that statement in the report certainly the first one is easy to
understand. We know what that involves.

But then in your second point you said "Promote private sector efforts and
certification through private laboratories." I'm still not clear, when you
say "promote" exactly how do you intend to promote for one and what do you
expect to gain out of it? What's the benefit of the whole process for the
society, to industry. You're role in promoting is still not terribly clear
of what this means.

MS. KATZEN: I think the difficulty in being very clear is because there
isn't a single idea. One of the reasons for having the draft paper and
comments was to get people's ideas on how the government could promote --
not just for us to answer the question.

You talked about the educational campaign. That's an attribute in which
you all feel very comfortable. There may be other attributes in which you
feel comfortable. So when you say to me 'What did you mean by this?' or
'What did you say by this?' part of it was to use deliberately vague terms
to see the reaction that we would have.

And what would we get out of it? There are some who believe that there is
a virtue in having a certification, a validation process, even if it is
wholly done in the private sector, but that it would facilitate the growth
of the NII. And even though we are not responsible for it, we want to act
as a catalyst. We want to act as a stimulator. We want to act as an
encourager. And if the encouragement f a standard setting or certification
process -- and I understand there's a distinction between the two. I'm
just using them as two sides of the same coin. And if that were to
facilitate the growth of the NII we get something out of that because this
is, I think, an affirmative public good. So it's not completely altruistic
but it's probably closer than you suspect.

MR. HOYDYSH: I understand that. It's in everyone's interest for the NII
to go and the NII or the GII to be secure.

The real question that I want to grapple with is to whether your promotion
actually advances that goal or retards it.

MS. KATZEN: That's what we're getting on comments.

Last comments from you, gentlemen, before we move to the next panel.

MR. STEINAUER: I have a couple. One: you had commented about making sure
that government work got out and wasn't kept secret. Under very limited
circumstances I would suggest that the flow of information has been very
good. And I would think that the stuff that Steve and I are working on in
the Federal Networking Council and a lot of this other stuff, that's
getting out. There is no attempt whatsoever of keeping that secret.

MR. DUNCAN: That's to encourage, not to criticize. To encourage that
kind of activity, to continue it. That's what we're doing.

MR. STEINAUER: Okay.

The other thing that you had commented on was government developing things
for its own use. I think to a very large extent that part of the world has
really changed. 99 percent of what the government does and the products it
needs to do it, both in information technology and the security standpoint,
is probably exactly the same. It may rearrange things sometimes and in
some cases we're more concerned with one part of the problem more than
others but the basis technology is the same.

And indeed, what the government wants to be able to do is to confidently
buy things off the shelf, not have to write its own standards. Not have to
do all of the things that it has done in the past because it couldn't find
things that it felt were necessary.

And I think now both the private sector and the government are much closer
than they've ever been in understanding the need for security technology.

And I'll be frank, I think the government led the way earlier on in
suggesting there was a need out there, trying to get people to do it and
forcing at least government agencies to do things that they might not
otherwise have been able to justify. I think that is no longer a big gulp.

I think everybody understands, particularly in the last couple of years,
that if we don't solve these problems and get the technology that we
already have in use we aren't going to exploit the opportunity of the
technology.

MS. KATZEN: Stewart.

MR. KATZKE: I wanted to say something. If you look at recent events --
I've been with the Security Program for 20 years now, the government and
industry were very much in sync with each other in terms of what's
happening in the security effort. We very often worked in the voluntary
standards community. Sometimes we came up with standards and they adopted
them; sometimes they came up with standards the other way around.

Whichever. Vice versa.

But the point is, for some of the standards that we started developing we
developed the performance tests for those standards and the process by
which they were able to get their testing done. That was a desirable
thing.

Recently the government has taken a turn, I think out of that direction
because of the special needs that the government has. So if you judge
what's happened in security by the current events you're going to get a
distorted picture of what the government has done in terms of testing and
working in the voluntary standards and working with industry. I think
there are areas that we can work, in fact, with industry which are less
controversial and which are important for security.

The reason why we got into specifically the criteria area is because we
saw with the NII a need for quality products that people were going to use
to build this infrastructure. It's not the total solution but at least if
you don't start with good quality products showing me generally what you're
going to put together is not going to be very good. A large part of the
quality is assembling the pieces.

The other point is that you're sort of in a Catch-22 situation. You say
there's more demand for it. Maybe if we had programs in which we had some
kind of a certification process and that was a discriminator amongst
products in the market then maybe people would start choosing the ones that
were accredited, certified, whatever you want to call it. Then people
would start jumping on the bandwagon. Just another thought.

MS. KATZEN: Steve, you get the last word if you want it.

MR. SQUIRES: I'm looking at WWW.FFC. It will describe the collaboration
framework and we'll also set up a workshop on this topic a couple of months
from now.

MS. KATZEN: Having had the commercial, we will now have the commercial
break. Thank you very much for your participation.

We hope you'll sit through the next panel, stay around and invite Tom
Carty, John Rippey, Melanie Janin, Diane Fountaine, Fred Herr, Sheila
Dryden and David Keyes.

(Pause.)
MS. KATZEN: This is our second panel on reliability of the information
infrastructure. Why don't we start with Tom Carty, from GTE.

MR. CARTY: Thank you.

MS. KATZEN: I'm sorry, let me do exactly what I did last time because
they didn't give that much trouble.

Could we have each of the government persons identify themselves? Diane?
We'll come back to her.

MS. DRYDEN: Sheila Dryden, the principal director for Emergency
Preparedness Policy within the Department of Defense.

MR. KEYES: David Keyes, from the FBI. I'm representing the Department of
Justice as well.

MR. HERR: Fred Herr, with the National Communications System. I also
serve as chairman of the Reliability and Vulnerability Working Groups of
the IITM.

MS. KATZEN: Okay.

Tom?
MR. CARTY: I guess I'll start. Tom Carty, from GTE. Just by way of
background, I've been involved as a company and as an individual in
developing security infrastructure for the government for the past 15 years
and have just recently launched a commercial venture, if you will, in
providing security infrastructure.

Just to let you know a little bit about the background. But our
experience of providing infrastructure, what we've learned is
infrastructure becomes a very gating item in bringing to market, if you
will, a large-scale security-enhanced system to reality, much more so than
the individual technology associated with security.

The security management aspect of the security offerings, if you will, are
really a process of creating a system to manage security and a process for
managing the risk associated with that security.

And as with all opportunity comes risk. The opportunity we see in the NII
and certainly the benefits associated with that have risks, but we believe
those risks are manageable. I believe that also, in fact, no system put
forth will be without risk and the real issue is how do you balance the
risk within a system.

To start with, risks must be understood. The vulnerabilities associated
with anything that will move forward from an infrastructure point of view
needs to be better understood than is presently available today.

Therefore, I believe education is a very important aspect of moving
security infrastructure forward. The responsibilities must be clear.

And associated with that are the liabilities that would be incurred with
any security infrastructure offering. So I believe there's a large amount
of work that really needs to be done in moving the security infrastructure
forward. Not that the risks are unmanageable, not that they can't overcome
and not that we can't put forward a system to manage or to operate within
those risks. But I believe there's an awful lot that still needs to be
done. Part of that is, I believe, establishing policy and making a clear
statement or a framework in which to work.

I believe there is also a management framework that needs to be addressed
in terms of interoperability, in terms of policy interpretation and in
terms of how do you manage, if you will, recovery from unanticipated
events.

So if you start looking at risks associated with the security
infrastructure I believe that there are a number of management issues that
need to be addressed. And it's not so much a technology issue as it is a
management issue that needs to be dealt with.

MS. KATZEN: Thank you.

Melanie?
MS. JANIN: I'm Melanie Janin. I'm with the U.S. Council for
International Business. I work on information policy issues generally as
well as international telecommunications.

The U.S. Council represents over 300 major U.S. multinational companies so
I would be a fool to say that I disagree with anybody in the private sector
that's been here today. So --
MS. KATZEN: You agree with everything that's been said.

MS. JANIN: I endorse only the private sector.

And a second caveat is that I have much more to say on cryptography, which
is where I spend a lot of my time and effort.
MS. KATZEN: I know you'll save that until later.

MS. JANIN: Right. But just a few general comments, if I can.

The U.S. Council a year and a half ago -- actually almost two years ago
now, released a booklet on the NII -- there are copies out in the hall for
you -- called "Private Sector Leadership: Policy Foundations for NII." It
deals with information security, intellectual property, privacy and
telecommunications liberalization issues. I believe that statement is very
valid today.

Four general points that I wanted to make: as the other panel said, the
U.S. Council believes that he NII will form an integral part of the GII so
any policies or decisions or implementation that's done would have to be
done with that in mind. And all of the work that we do in our Committee on
Information Policy at the Council is done with a focus on global issues and
we do work with other national governments and with other multinational
companies throughout the world.

The second point is the government has a supporting role in the creation
of the NII and that is to craft a legal and regulatory environment that is
conducive to competition and to the growth of the NII and GII along those
lines.

Third: there's a belief that the government should not compete with the
private sector in terms of research, product development or the provision
of services and that the government should be technology neutral and not
favor one technology over the other.

Finally, the government should not attempt to develop, recommend or
mandate network standards concerned with interconnectivity,
interoperability or security.

A final point more related to this specific panel. The one section of our
comments that relate specifically here is the issue of where it says
"Government role and responsibilities: That the government will ensure
adequate emergency response capability on the NII." Our comments from the
U.S. Council here were that we're not really certain how this would happen
since the government neither owns nor controls the NII. I was told that
that comment is why I have been placed on this panel.

MS. KATZEN: We're hoping you'll give us some insight on what you think we
should do.

MS. JANIN: I, in all honesty, would be interested to hear from everybody
what the meaning of that phrase was and if there's been any further
thinking on that.

And that's all for now. I'll have more to say on cryptography a little later.

MS. KATZEN: John?
MR. RIPPEY: Thank you, Ms. Katzen.

I want to praise OMB for doing this and bringing the Bankers Roundtable in
late. I think if government innovates slowly I think bankers may be even
slower than government. We're here in a room full of high tech people and
thinking how the banking industry combines high tech and low tech with the
emphasis definitely on the low tech. We are happy to be here among some
people who are really forward looking.
The Roundtable represents the nation's major banking companies. Our
members have 70 percent of the U.S. banking assets and they employ about a
million people. And, of course, a number of our members are global
enterprises. We have basically the top 100 banking institutions.

We, in our letter last fall, noted that banks are not new to electronic
commerce in the sense that the global payments system for wholesale
payments has been going on for years and has been very reliable, but not
perfect. I think Tom's point about reliability is very well taken because
there have been some glitches, even in the large denomination payments.

You probably can't see this too well but there are actually triangles
here. The triangle on the left indicates the value of transactions. The
triangle on the right is the number of transactions. So it doesn't take
rocket science to realize that every day in the G10 countries over a
trillion dollars is settled successfully.

Also every day there are well over a billion cash transactions done. So
the dollar amount of a trillion dollars, there are relatively few
transactions. But the dollar amount of those billion cash transactions is
minute. So what we're seeing with the evolution of theInternet is there
is going to be a transition in the banking business and the payments system
from large denomination but fairly infrequent relative to transactions --
fairly infrequent transactions to much more rapid and numerous electronic
transactions but in much smaller dollar denominations.

So in one sense, while we are moving to have many more transactions done
electronically than we had before, the systemic risk to the banking system
is not going to be all that significant.

There are risks now in the large denomination or wholesale payments
system. Probably the biggest single risk is what's called "insolvency
risk," where a player bank could go suddenly insolvent and not be able to
settle at the end of the day. That, in fact, happened in '74 with the
Herrstadt Bank in Germany. That caused enormous ripples in the payment
system and caused the central banks to get together and try to reverse how
that happened and how it could never happen again.

But it's inconceivable if we move to an Internet-type banking system where
consumers are heavily engaged that any failure of, let's say, an Internet
bank could cause a ripple in the banking system.

For example, the first Internet bank is Security First Network Bank that
operates out of Kentucky. It's a joint venture of Wachovia Corporation and
Huntington Bankshares. I have no idea what its footings are but it just
started in October so it can't be very big. If that were to fail tomorrow
due to some computer glitch or let's say a computer hacker came in and
destroyed the entire bank it would hardly show up on the bottom lines of
Huntington and Wachovia and certainly wouldn't cause a blip in the entire
banking system.

So when we're talking reliability here I think the point we would like to
make is that we do have a very reliable wholesale payments system out there
that works very well. And what we're moving toward -- and it seems to be
fairly rapidly -- is to transition banking mentality and banking operating
systems into delivering electronic payment services to individual
consumers. In that transition there are all kinds of issues of standards,
interoperability, whether it will work, whether consumers will go for it
and so forth and so on.

But we have to keep in mind that in terms of the government's interest,
the taxpayer interest, exposure to risk and so forth it is not a big risk.

The bigger risk, really, is that if there were a meltdown in, say, Security
First Network Bank customers would walk away and would be turned off by
Internet banking and wouldn't come back. That's the real risk. It's a
market risk, not a payments risk or systemic risk.

We also are concerned -- it was mentioned in the earlier panel -- with
what I would refer to as downloading of policies from international bodies
into sovereign states such as the good old U.S.A., and the European union
seems to be the one that gets the most attention, probably because they
have the most bureaucrats per square foot. Their recent privacy directive
is going to cause us difficulties, our members, in dealing with it.

One of the functions that we would urge government to be involved in -- I
don't know how within government. You know, what agency should take the
lead or what have you -- is to keep an eye on these fellows and ladies over
there in Brussels and to have much stronger input before these things
happen. Because we're either going to have to have that directed on down
or else it's going to become the de facto standard on privacy in the United
States for financial transactions, and it's way ahead of where we are.

It may be the ideal privacy standard from the point of view of a consumer
advocate but it doesn't really work very well in the real world. And
there's a danger there that while we talk about letting the private sector
work and let a thousand flowers bloom and the government not interfere,
over in Brussels they haven't heard that message and we're getting sort of
back door policies imposed on us.

So I think it's very helpful for the OMB to be involved in this kind of
issueand I would urge the attention given to the international aspect of
it.

We're most comfortable and we deal all the time with the Fed and the
Treasury. And, as you know, the controller of the currency has been
designated as the Treasury's electronic guru or whatever you want to call
it -- coordinator for all of the technology going on in the Treasury.

We're comfortable with that. We deal with the Controller's office all the
time so we have no problem in dealing on a day to day basis on technology
issues or other issues with the government.

So we're not here to say there's no role for government, because there is
a role. But what we would say is we certainly don't need at the moment --
forget Brussels for a minute -- any government action regulatory or
legislative in the privacy or security area because things are still
evolving.

Security First Network Bank obviously has some software that they're very
comfortable with to provide privacy and confidentiality and security to
their customers but that's only the first one. By probably the end of the
year there will be a half dozen Internet banks, just electronic banks, and
they obviously will be using different software. So it's much too early
for the government to come in and begin to worry about systemic risk
because of Internet financial transactions.

So I guess we have a foot in both camps. There is a clear role for
government but right now the government role needs to be more of a
monitoring and coordinating rather than it does a regulatory or legislative
aspect.

MS. KATZEN: Okay.

I have my usual two provocative comments but since we have so many on the
government panel I think I'll defer for a few moments until we see what
kind of discussion and debate we get started on our own.

Fred, do you want to start?
MR. HERR: Sure.

I guess I'd like to address Mr. Carty's comments and specifically ask for
a little bit more information on a couple of points that he made
specifically relating to industry understanding risk and better
understanding vulnerabilities.

What role would you see the government having in helping industry
understand the risks and specifically the vulnerabilities?
MR. CARTY: I believe when it comes to a security infrastructure I believe
that the wealth of experience certainly within this country and globally
rests with the government today. I don't think that position will be
retained in the long term, by the way.

But as a result of being in that position today I believe there is a
significant amount of education and sharing of information that the
government can make available to private industry. And I believe this will
also result in better product that will also support, I guess, the commerce
and the development of commerce within the country.

I come from the point of view of having recently worked on the SEP
standard, the standard that's being developed for Secure Electronic
Payments that's being done by MasterCard, VISA and some of the other larger
credit card companies. It became very, very clear in the process of doing
that that one of the greatest benefits of a very short lived experience, if
you will, was the openness under which this was conducted. I have probably
seen more insight and ideas come forward in the open forum that that was
created in than I've seen in any other single place to date.

I think the government has a wealth of information. I think the
government ought to be prepared to make much of that information available
today in educating people so they understand what risks they are accepting,
what are the vulnerabilities and what then are the risks associated with
those potential vulnerabilities and let the decision then belong to private
industry as to whether they would like to move forward and accept those
risks under the conditions put forward.

But I believe education is a tremendous part of what needs to be overcome.

And we're in the process -- we have just launched, as I said earlier, a
commercial product and a service offering education in this particular
area. Security infrastructure isprobably one of the greatest barriers
that currently exist. So I think this is something the government could
really help tremendously and I think it's going to result in furthering, if
you will, better products on the open marketplace.

MR. HERR: If I could follow up a second. Does that indicate that you
believe that industry does not fully understand the risks and the
vulnerabilities that it faces?
MR. CARTY: Actually, I've been very surprised. I believe in selective
industries -- in particular, the financial industry is very, very astute
and very aware of many of the issues associated with it.

But as you start talking about an NII at the national level -- and I also
honestly believe the comment that Dan made earlier, that you can't say that
any longer. It has to be spoken of in the context of a GII or a global.

When you start talking commerce commerce isn't just limited to the United
States. Clearly, we have global corporations and global trading partners.

We have to be ready to address those type of issues.

So I believe there are segments within the industry that are very, very
well educated -- maybe better than the government is -- in some of this but
I think it needs to go much broader than that. Especially when we start
talking in terms of how are we going to help the citizenry of the country
and how are we going to do things that are going to benefit the populous,
there's an awful lot of education that really needs to be done.

MR. HERR: If I might take a moment for a commercial message. As I
mentioned, I chair the Reliability and Vulnerability Working Group of the
IITF. The group recently completed a risk assessment of the NII. One of
the conclusions of that risk assessment program, the overwhelming
conclusion is that the members of the individual sectors need to understand
the risks and vulnerabilities to their sector in a lot more detail than
they currently do.

So I agree completely with your conclusion. We believe the industry needs
to do a great deal to understand its vulnerabilities but clearly it is a
joint government/industry responsibility because the government does have a
lot of information that can help the industry understand its risks.

MS. KATZEN: David?
MR. KEYES: I have quite a few things that I could start talking about and
keep going well beyond the designated time.

MS. KATZEN: I won't let you do that. That's not a risk.

(Laughter.)
MR. KEYES: But I wonder if there are any specific questions that you
wanted to address to me or to the Department of Justice. If not, I can go
into some of the thoughts that I had in response to yours.

MR. CARTY: I have a comment. I'd like to raise a comment at least to the
federal government.

I believe my opinion is that the government is moving too slowly in this
arena in terms of moving forward and trying to understand what are the
issues that must be faced to put into place some reasonably secure --
trustworthy is probably a better term -- NII or GII that could be taken
advantage of.

I believe that there are a number of areas where the government could come
forward. For example, I believe I made the comment originally that without
policy that we will move in the direction of least resistance but we won't
move necessarily in the direction we wish we had chosen.

I don't think we'll ever get policy necessarily to the point that every
person is going to believe what's stated. I believe there's a framework
that needs to be established.

The government is probably in a far better position having done this many
times to do this, to establish some sort of framework. I believe the
federal government is in a very leveraging position and has a tremendous
advantage over industry in the sense that when industry first had an
installed base you had an installed base of customers on which you could
run experiments on a large scale. I believe there's a lot still left to be
learned and understood about a large scale security infrastructure.

MR. KEYES: And speaking to the areas that the Department of Justice and
the FBI are involved in, I think they fall more into the areas that Melanie
raised. Of course, we work daily with the banking industry and I'm very
grateful to GTE for its assistance on the intrusion case that you were very
helpful on.

From the Department of Justice perspective, we aren't involved in standard
setting. We're sort of an operational response entity within the
government.

The Attorney General and the Deputy Attorney General, whom I've met on
this issue several times in the last couple of months, are very, very
concerned about improving the ability of the Department of Justice to speak
to the issue of threat and warning; to give the private sector threat
information, vulnerability information based on a knowledge base of other
cases and experiences that have come to the criminal justice system from
any number of different sources.

The Department of Justice believes that there is a need to improve the
ability of the federal government to provide operational responses to
attacks on the national information infrastructure. Because whatever else
they may be, in almost every instance an attack on the national information
infrastructure is crime and generally a crime that invokes the Interstate
and Foreign Commerce clause of the Constitution and brings it under some
sort of federal criminal investigative venue.

So the Department of Justice is very interested in improving the
coordination within the Department of Justice and, indeed, with other
criminal investigative entities at the state, local, federal and
international level to enable a more rapid, robust and thoughtful response
to the victim, which in most instances in terms of the Department of
Justice, would involve the private sector.

Since the Department of Defense, the NCS and others respond to DOD
problems within the FBI, we have merged capabilities between our National
Security Division and our Criminal Investigative Division specifically
dealing with computer based attacks. We're attempting to look at this
simply on the basis of the attack as opposed to the motivation of the
attacker. That is an issue we attempt to sort out later.

We believe we need to improve our coordination with the private sector,
which is very, very good within the banking and finance industry. I think
it's exceptional with the telecommunications industry in connection with
our legal authorities there.

We are attempting to expand our outreach program for training through the
American Society of Industrial Security, which consists of approximately
25,000 private businesses.

We've initiated threat and warning notification capabilities through a fax
system and an Internet system and a system of live briefings that we have
traditionally given in the counterintelligence and counter-terrorism arena
but hope to incorporate the criminal justice perspective of information
infrastructure into those programs.

And at the risk of having spoken too long, I pass at this point.

MS. KATZEN: Sheila -- thank you -- do you want to talk about the DOD?
MS. DRYDEN: Sure.

I would just like to say that I think there are a lot of discussions that
are taking place with a variety of departments and agencies on this issue.

It is an evolving issue. The departments are actively working to identify
issues and propose options for information protection and infrastructure
assurance throughout those discussions. It continues to the point that the
government and corporate partnership needs to be developed. And that's a
very strong point and that continues to pervade all of the discussion.

I think all of the government departments and agencies that we've
discussed this with realize the importance of bringing in the corporate
America partnership. We also believe that there probably will need to be
incentives developed as opposed to mandates with the private sector for
working on these infrastructure assurance initiatives.

Within DOD, we don't think DOD should be leading the government effort.

You know, we have a lot of expertise, we have a lot of knowledge in this
area but we don't think we should be taking thelead on it. We have a lot
of interest in it also because we rely very heavily on the information
infrastructure so we're very interested in making sure the information is
there when we need it, to make sure the information infrastructure
assurance capabilities are there. We don't think DOD should be leading
that government effort.

It's an issue that's much larger than the Department of Defense. It
requires a lot of interagency involvement. Within DOD, CQI has the lead on
automated information security. But within policy services directorate
that was recently set up, the infrastructure insurance policy directorate;
so that does let you know that the department is very interested in this
area.

MS. KATZEN: Diane?
MS. FOUNTAINE: I'm Diane Fountaine. I think I probably missed the
introductions. I am a deputy manager for the National Communications
system. We essentially coordinate the government and industry's
requirements in the telecommunications area for national security and
emergency preparedness response. I'd like to make a couple of comments
that will relate, Melanie, to your question on adequate emergency response
capability; and Tom, also to your point on the government's probably
leading role in policy establishment.

I think the government is in a position to espouse and define the
government's requirements for a minimum set of capabilities to any
particular infrastructure. In the telecommunications infrastructure, I
coordinate the Federal requirements for national security emergency
preparedness, minimum response capabilities. To that extent, we can ask
industry, as a part of that, to be able to respond to our requirements in
this regard.

With respect to policy, we can establish policy in that area, and I guess
when it gets to the private citizen in the private sector, I assume the
government's role would best be something like an Underwriter's Lab, where
we determine what a private citizen might require for a minimum set of
functionalities to assure that that citizen is protected either with
respect to privacy or delivery of service in any given infrastructure. And
that policy will be established, but then industry would respond in kind as
to capability in those regards.

That kind of takes government back a step from the actual private sector
provision.

MS. KATZEN: Let me raise two thoughts from hearing the different sides
speak, for you all to speak to.

Tom, you had raised education, which I think goes to the question of data
on threat and communicating it. And right now the government has probably
a better handle on that than anyone else. How long we retain that
advantage remains to be seen.

There is always a slight tension between widely disseminating information
on threats and, in fact, helping to facilitate the carrying out of those
threats. After the Oklahoma City bombing there was discussion whether or
not one should give the recipe for building those kinds of bombs and how
easy it was to get the kind of pieces together because then it could be
replicated.

If you think about the NII in its broadest sense and the interconnectivity
of the different uses of it with power grids, telecommunications,
financial, health information, everything coming together, to what extent
is the education function and education about potential threats going to be
either informative or are you suggesting education of solutions to minimize
those threats? Is that the educational function that you see the
government taking? And, again, I'm trying to be responsive to Melanie.

What's the government doing in here in the first instance? A: we have this
information; B: it's somewhat scary if you actually know what's going on;
C: who do you tell it to and how do you get something to happen. That was
one piece of what I was hearing.

I warned you there were two. The second piece is, again, your question
that Diane tried to respond to: what do you mean that the government is
going to insure that we're going to be able to respond? Fortunately, the
kinds of attacks that have taken place have been relatively discreet,
relatively contained. We may not be so lucky. When the East Coast lost
aviation or telecommunications a couple of years ago there was at first an
uproar. How did the government let this happen? That subsided quickly and
it was recognized -- I guess it was telecommunications went out and AT&T
and the others got it back up and working fairly quickly. People forgot
about it in fairly short order, although who do planning didn't.

But if there were a serious attack that took out all power grids, maybe
all radar for airplanes, a little bit of the electrical backing for the
Securities and Exchange, the Stock Market and just a few other isolated
hits I think the fingers would point quite quickly, Melanie, to the
building across the street saying 'How did this happen? How did we leave
ourselves so vulnerable?'
So I think there's a compelling need on at least the government's side to
try to anticipate some of these concerns. But we need a lot of help, as
others have been saying, in terms of who is actually responsible. Are we
responsible for making sure the banking system continues to work even
though the underlying infrastructure is knocked out from under? We're
talking about the risks of the payment. What about the risks of the
communications? There is a lot that goes electronically or whatever --
radio, television, telecommunications. So those are two pieces of it.

What we did in our report -- and again, I keep coming back to the document--
was to raise this as a serious issue. It was written, as was the other
piece we discussed earlier, in relatively vague terms to say 'Hey, folks.

What do you think is the government's role in identifying the threats,
communicating them, suggesting risk management approaches actually to the
point of assuming responsibility at some level for restoration?' And
that's I think what we're trying to do.

I must say, what we got back was not too terrifically helpful. It was
sort of 'You guys don't belong -- the government doesn't belong in here and
think twice before you do very much about this. And you may have some
interest but, you know, we can't quite figure out what it is.'
I think it's real and I think we need help in fashioning the real
government role in this area. That's what this panel, I think, should be
about. And that's what I'd like to hear in the last 15 or 20 minutes.

MR. CARTY: An opinion on that. My opinion on it is that I believe
government is one of the few organizations that are in a position to worry
about this on a very much global or national scale. So that when you start
talking about infrastructure elements such as whether there will be
communications backbone or the banking system or whatever commerce or
business is not necessarily going to worry about how do we pull that back
together following some national level catastrophe or semi-national level,
at least.

Are there back up mechanisms to provide the same level of service on a
very, very large scale? I think that's something the government certainly
should be participating in.

I think it's a role -- it had in the past in many ways and I think it's a
role that they bring together a lot of the thoughts, I believe, and are in
a position to bring together a lot of the required industry to put together
solutions, to provide that level of service should there be a serious
problem.

Where do you look for it within industry? Who do you look to? I don't
think that exists today. I don't think I know where you'd turn to to find
that solution. So I think there is a place for government in providing
that or at least bringing together those that would provide the solution.

MS. KATZEN: Melanie?
MS. JANIN: Well, as I said before, I really don't have the expertise in
this area. Not just directly responding to his comments but back to the
emergency response comment in the paper, if the government were to take on
that role it says here "an extension of this role to assure the priority of
communications to the NII when emergencies occur will be necessary."
How is the government planning to afford this? Is there a liability issue
that needs to be covered here? I have no answers for you.

MS. KATZEN: These are the questions. These are some of the questions in
which if you accept the fact that there is a threat and that there could be
something they keys nationwide that I use are backbone or infrastructure
and that there is a legitimate government role how are we to carry it out?
We can't do it all ourselves. That's what we're looking for and instead
we're getting 'Oh, my God.' What we really need is some dialogue. That's
what we're hoping to get here.

John, do you have any thoughts on this?
MR. RIPPEY: I'm afraid I do. I think you're mixing apples and oranges.

I don't mean in the pejorative way but we responded to the paper in terms
of an industry that's trying to cope with new electronic technologies that
are emerging and creating new ways of delivering products and services to
people. So we saw your rhetoric there more or less as a potentially
preemptive strike or messing around with something that hasn't developed
yet, which is how do you get stuff to people in reliable ways and in ways
that honor their needs for privacy and so forth. So that's why you've got
the stiff arming.

If you put your comments in the context of national security or some sort
of a volcanic calamity or whatever that would just wipe out all sorts of
communications you'd get a much different response because I worked at the
Fed in the '70s -- I haven't been back since but I know in the '70s I had
to bunk in some bunker down in Virginia where we were all going to go and I
guess they were going to give us -- each one of us had cash and we were
going to go to the difference Reserve banks and hand out money on the
streets because it was thought important at the time. They had a huge
bundle of cash stored under the mountain. So I felt pretty good.

Somebody's thought about this, you know? And I didn't for a minute decide
that it would work or not, that wasn't my job.

So that if things have improved since then there is definitely a
government role to keep the payment system alive in any kind of large scale
emergency whether it's war, famine or whatever.

I mean, that's almost like a wholly separate issue that yes, that is a
governmental thing. It's much too big for private enterprise and it needs
to be coordinated, obviously, with other countries, states and so forth --
I mean U.S. states.

So we'd be very supportive of anything that appeared reasonable in that
area to make sure that the payment system and that businesses and consumers
could get back to normal as fast as possible, because otherwise things
would just get worse. But that wasn't what we were addressing in the
paper.

MS. KATZEN: Okay. I am glad you're not stiff arming the at least
somewhat edited version of the paper.

Last comments from our government members. Diane?
MS. FOUNTAINE: None.

MS. KATZEN: Sheila?
MS. DRYDEN: I think it is important for the private sector to have a
focal point within the government to come, to bring issues to, information.

The information sharing is a two way street. To have a focal point within
the government is important and also for the government to have a focal
point within the private sector as much as that would be possible. There
are so many entities out there. But I think that would improve the
information sharing.

MR. MC CONNELL: If I could just comment on that last point. In the
private sector I think it's instructive how you, John, have been talking
about, you know, you're dealing with the Fed and Treasury. And it's
probably that, in fact, other industries who aren't represented here today--
GT&E is used to working, obviously, with the FBI but also the FCC.

That's the group that you look to. So we may find it's true that as
organizations which are the normal places where there's already a good
industry/government interface.

MR. RIPPEY: The problem, though, is that because privacy cuts across so
many areas I like the OMB model -- I have to say that -- in terms of
pulling the differentagencies together or the different interest groups
together. Because, yes, we can deal with privacy, let's say, on electronic
benefits transfers at Treasury but there are other levels and issues of
privacy that Treasury won't be bothered with that some other government
agency will be. That would also be affecting what we do. So I really like
this OMB -- whatever you call it -- coordinating mechanism to bring
together these disparate interests.

And I think it's unique in my experience that this is going on and it's
very helpful if you can keep it going in the technology area. That will be
a big step forward in terms of working.

MS. KATZEN: We'll have those comments printed in bold.

(Laughter.)
MS. KATZEN: David?
MR. KEYES: We look at the response requirement from two different
perspectives, the first being an operational response and the second being
a consequences management response.

When you look at the threat that exists in warning the national
information infrastructure -- indeed the global information infrastructure--
it ranges from a teenage person with a modem all the way up through
organized crime into terrorism and into international relations and
activities up to and including war.

On Thursday I had six new cases come across my desk which represented
precisely -- it was an excellent example of the range of problems that
presently exist up to and including one national security matter that is
really kind of shocking in how it took place and who was involved.

A response capability means that you have to have someone who can
coordinate containment of an intrusion and limit the damage that's taking
place but also do it in a manner that identifies the intruder and enables
the government to make a response. On the consequences management side of
things you need a capability that can rebuild and cure the system to make
sure that that capability is once again bold and robust.

The government players that represent those two different responses, an
operational response and a consequences management response, are spread
throughout the executive branch. The NCS is an outstanding example of
planning and preparation and positioning the government to deal with
telecommunications problems that arise.

And as this problem is better understood, as our knowledge base expands
perhaps we'll be in a better position to carry over that type of expertise
into the other key infrastructures, not just telecommunications but the
eight different infrastructures that we'll address in the Justice
Department.

MS. KATZEN: Fred, the last word.

MR. HERR: I guess I'll end up where I started and that is I think that
the issue is clearly one that the government and industry need to work on
together. I don't think we can look on it as a government responsibility
and an industry responsibility. I think we need to work together. There
is plenty of work here for both segments to work on.

NSTAC, the President's National Security Telecommunications Advisory
Committee, and the NCS and government have done that very effectively, I
believe, in the telecommunications area. And I think that model serves us
well in seeing how we can work together in other areas at the NII.

MS. KATZEN: On that note, I thank the second panel.

I welcome the third panel. Our government representatives will be Scott
Charney, from Justice; Ed Appel and Mike Nelson. Is there somebody here
from State? Wonderful. Come join us.

(Pause.)
MS. KATZEN: Now, we have two people who are willing to come front and
forward. Surely there are many in the audience who have an interest in
this issue and the courage to come forward. We'll take comments from the
floor as well but they're going to get first crack.

If I can have the government people simply identify themselves. No
opening statements, please. Scott?
MR. CHARNEY: Scott Charney, chief of the Computer Crime Unit, Criminal
Division, Department of Justice.

MR. NELSON: Mike Nelson, White House Office of Science and Technology Policy, co-chair of the Emergency Group on Telecommunications.

MS. KATZEN: All right.

Melanie, you have been waiting for this moment. The clock is ticking.

You have a few moments. Go.
MS. JANIN: Actually, we're all embroiled in this because Fiona and Mike
and a group of other U.S. Council members were together on Friday afternoon
trying to solve these global problems.

What I'm referring to in terms of cryptography, a major issue for U.S.

Council members and has been for a while, is the need to coordinate
cryptography policies across national borders. It only makes sense in this
day and age.

The U.S. Council has a set of business requirements for encryption that I
think if I talk about one more time Mike Nelson is probably going to have a
heart attack and walk out of the room, so I won't. But these requirements
were written, again, a year and a half ago. At the end of this paper there
is a recommendation that the U.S. government work with the private sector
in the U.S. and abroad and with other foreign governments to try to come up
with some consensus on global cryptography policy that would help us all
out in the long run. The process that is starting now is drafting, we
hope, an OECD guideline on cryptography policy. Mike and Scott are going
to be very involved in that.

The U.S. Council, just by way of background, is the American affiliate of
the business committee that reports directly to the OECD. So in that sense
we are the U.S. national committee that gives private sector input to the
OECD process. I'll let Fiona talk about ITI but ITI is also involved as a
member of the U.S. Council and they've got affiliates throughout the world
as well.

I can be more specific as the conversation goes on if you want.

In general, regarding this report, there was a final comment towards the
end, I think, on promoting international cooperation on encryption and
security issues, and there was mention of 'Gee, that's the process going on
in the Brussels meeting last year as well as the OECD security guidelines
in '92.'
So I would just like to commend that recognition in the report of those
activities and to say, you know, if enough transpires over the next few
months to include these developments in the OECD that are going on now,
that could be a very valuable addition to the report. And I'd be happy to
be in touch with anybody on that over the next few months.

MS. KATZEN: Fiona?
MS. BRANTON: Thanks.

I just would like to echo everything Melanie just said. We are working
very closely. We share very similar perspectives.

I'm going to reiterate some of the things we said in our comments on the
report. I wanted to start by saying that we thought the report had some
really good, important and valid observations in the early section,
especially about how cryptography is really moving from being a technology
that was used almost exclusively for law enforcement and national security
and is now getting into the kind of technology that businesses and users
really need. So much more commercial interest in the technology.

As we move into an increasingly on line world it is becoming more
essential the businesses and users are able to protect the integrity of
their information and their privacy. So it seems to us that cryptography--
and I think the report makes the same observation -- that cryptography
is really essential in maintaining our economic strength.

Then finally, the report did note that cryptography is really crucial to
the growth of the NII and the GII. And I would just like to start by
saying that we thought that it was really good that the report recognizes
all those principles and the fact that federal security policies really
need to take into account all those changes that are going on. So we
appreciate that recognition.

We did, of course, have some specific comments on the recommendations in
the report. First, and probably foremost, is the fact that the report
seems to support a very large central role for the government and it seems
like developing cryptographyproducts. It sounds like the report
recommends that the government take the lead in developing cryptography
products. We would much rather see private sector led, industry driven
solutions that meet consumers needs, including having the federal
government participate in the industry-led voluntary standards process. So
it's really who's going to be leading the parade here.

We also noted that we would like to see the U.S. government update export
policies that are keeping U.S. companies from competing overseas on some of
these products; look to industry-developed solutions to meet government
security needs to the extent possible, rather than developing our
solutions, and refrain as much as possible from prescribing the kind of
technologies for solutions that the private sector can't use. We really
believe that the commercial needs will vary incredibly widely, and it would
be best to let the markets and the consumers arrive at solutions that would
be available.

ITI's been working, since we submitted our comments on this paper, with
our sister organizations in Europe, Japan and Canada, which we call the
Quadripartite Group. We've produced a set of encryption principles for all
of these companies internationally to bring up, and I think the main kind
of principles that we would like to see are security policies that balance
the needs of government, private users and businesses, and that accordingly
work internationally. We feel very strongly that we need to have
international policies.

The principles strongly advocate a market-driven approach. In particular,
we focused on users' rights to protect their information and their ability
to choose a solution that will meet their needs. So as you go forward with
that refinement in the report, if that's what you're going to do, try to
keep those two in mind: the industry-driven, user kinds of solutions.

MS. KATZEN: Anyone else from the private sector out there that didn't
feel courageous enough to come forward and speak at this time? Hearing
none --
(Laughter.)
MS. KATZEN: Scott, if you wanted to respond to questions or comments of
any kind and then we'll go on to Rose and Mike.

MR. CHARNEY: I think what we've seen in the past 18 months to two years
of work on this is that there is a growing consensus between the private
sector business and the government. There is a growing conceptual
agreement about what needs to be done.

There is no question that we need strong cryptography for end users, for
businesses, for government. There is no question that we have to be
sensitive to the fact that this is a global marketplace and that we need
products that will sell and sell overseas.

There's also no doubt that the government has certain equities that it
needs to protect which is clearly tested in cases where we have search
warrants, wire taps, et cetera for national security concerns.

So when we start with that conceptual agreement what we're learning now is
that the devil is in the details, as we say, because we have to figure out
a way that we can satisfy all these different equities, both the private
sector and the government, in some sort of workable formula. That also has
to be a formula that we can take overseas and make work in an international
environment.

So I have no problem with anything that has been said. And I actually
think that the OECD drafting committee that will be convening in the near
future is actually probably a step in the right direction because it's a
good forum for the right countries to get together and try to figure out
how this can be done. And, of course, we can act as a table so we have not
only business representation there but there may be business representation
within the national delegations as well. So it seems like the right forum
to try and hash out those details.

The only concern that I still have that needs to be addressed in that
regard, of course, is that OECD principles, if we look at the privacy
principles or the security guideline principles, tend to be at a fairly
high abstract level. And when we're talking about the devil is in the
details you're not talking about that level of abstraction but, rather,
much more specific approaches. And it's yet to be seen whether the OECD
can get down to that.

MS. KATZEN: Rose.

MS. BIANCANELLO: I hate to say it but I am probably one of those details
as a regulator. And I think the state's role, as we've been looking at it,
has been to try to balance that national security issue which is brought to
us by DOD as well as the industry marketing initiative.

I think we've probably done a good job in recognizing in I guess the early
'80s the need for the banks, in particular, to have encryption and getting
it exported in ways that would serve them well.

We've tried to do that also over the last two years and I think there is a
movement on the part of commercial users or uses that keeps going faster
than the regulatory process can perhaps meet. We welcome a relationship
with industry on this issue even though there have been disagreements about
the controls of the agencies. We welcome input on the ways to do the job
better.

And I think we have to see the regulatory changes over the past 24 months
that have helped industry to move more quickly such as the newest
distribution agreement. We would welcome further suggestions on how to do
that if we need and when we need controls.

MS. KATZEN: Mike?
MR. NELSON: Do we have time for questions after this?
MS. KATZEN: Sure.

MR. NELSON: I have the task of chairing the interagency group that's
developing policy in this area. I've been working in the area for more
than three years now, even before Clipper was announced.

I also agree with Scott. I think all of you heard from the two witnesses--
we certainly agree with what we've heard. We particularly agree with
Fiona's comment that industry should be developing technologies.

We need to work together to make sure they meet the needs of all the
industries. Industry has the expertise and money, and most importantly
they have the resources to go out and market the new technologies.

This is an incredibly difficult issue, trying to reconcile the needs of
consumers, manufacturers, law enforcement agencies, intelligence agencies.

And we're trying to do it not only in the U.S. but globally, so it's not an
easy problem and we haven't found the magic solution yet.

A lot of industry players are developing new approaches but so far we
haven't found a way to get around a couple of the key issues. One
fundamental problem is that anything the U.S. government approves of,
certainly anything we allow for export is immediately suspect and thought
to be too weak to be useful. So as we go forward we're facing this
terrible perception problem. The assumption is made that if we allow it to
be exported it must not be any good.

This is really quite harmful to the security of American companies because
today we allow the export of 40-bit encryption. That's pretty good
encryption. You can do a lot to protect your data certainly from the
janitor, from people who are walking in and download files off your desk,
from almost anybody except a handful of very large intelligence
organizations. Yet people aren't using it because they are certain it's
too weak to be useful because the U.S. government allows it to be exported.

That's one problem.

Another very big problem in this whole area is there is no reliable way
for consumers to evaluate the products they're buying. A lot of encryption
products say they are one thing when they're not. They have defects in
implementation, the algorithm that was developed isn't as good as the
creator thought it was. So a lot of the encryption products that are on
the market today are not what they should be, are not doing the job that
the customers thought they should do.

So we're looking for suggestions from industry on ways we can work with
industry to validate and certify some of these products so that we can
confidently endorse them.

One of the reasons that DES is the gold standard today is that the U.S.

government said 15 years ago that this is the gold standard we would use
for our own use. We need to go a little beyond that. We want to make sure
that the individual citizens who are using these products actually are
getting the security they need and want. So there are a lot of interesting
issues here.

I think the hardest issue for me, though, is dealing with the
international aspects of this. The U.S. is well ahead of most other
countries in developing policies, in part because we've been having a
roaring argument about encryption policies over the last few years. A
number of countries have come up with new, creative solutions to put on the
table. Many other countries are still getting their arms around the
problem, they're still discovering that encryption is an issue. In some
countries the policies are still focused on delaying the use of encryption
or delaying the spread of encryption. Here in the U.S. our policies are
driven by the simple fact that people need data encryption solutions they
can use, worldwide solutions they can trust to protect their privacy and
data. That's what our policy is driven by.

All of the different agencies that are represented by the working group I
chair are working together to try to reconcile all the different interests
of those agencies and it's taking time. But we have to move quickly
because the technology is advancing and there are lots of opportunities out
there where we could be using encryption more effectively than we are
because we don't have the solutions yet for all the players.

I've got a quick question for our panel. I've been a little bit
frustrated over the last two years that some of the biggest players in the
industry -- this is probably directed to Fiona -- that some of the players
that I would think could help us find solutions are not really engaged in
putting their resources behind developing new data encryption solutions.

Their resources have gone to lobbying to relax the export controls rather
than trying to find solutions for the needs of law enforcement, of
government, and focus instead on allowing the export of triple DES rather
than trying to find some other solutions, whether the export solution or
some other approach.

Do you have any ideas on how we as a government could spur investment in
this area?
MS. BRANTON: Well, I think it's sort of a policy chicken and egg kind of
thing. Some of the companies are worried that if they invest a lot of
resources in developing the solutions, and the solutions won't be allowed
to be used or exported, then they're not going to do it.

MS. KATZEN: I think Michael's question actually goes where I wanted to
head, in a slightly different direction. Rather than using resources to
develop solutions that are technical, the thing that you're asking for is
intellectual contributions and idea contributions.

What I have found increasingly frustrating is -- and you were kind enough
in your comments to applaud us for recognizing that there needed to be a
balance, because you were fearful that we would always see the national
security, law enforcement side. When I talk to businesses, I tend to hear
always the desire to export, and the confidentiality side.

If we take Scott's rosy scenario that we all agree on basic principles,
and that there has to be some balance, I came to the conclusion over a year
ago that the balance was not going to be in the details. It was going to
be something creative, something different, some structure on top of a
structure. We came up, I guess ten years ago, with the key escrow concept,
which is what I say -- it's less technical than it is intellectual. It's a
framework, a context, a way of thinking about it.

We have been pursuing key escrow internally in our working groups and our
discussions, because there has not been anything else. For years, I
represented the private sector. For years, I learned that you can't beat
something with nothing. For years, I filed comments with regulatory
agencies or went up to Capitol Hill with alternative proposals to get where
they wanted to get to my way.

That hasn't happened. And when Mike says to you that these players aren't
here, they're using their resources to stop our efforts or to lobby against
where we are, I'm frustrated that -- if it's not key escrow, fine. Give us
something that balances, and we're not getting that -- she says in a snippy
voice.

(Laughter.)
MS. KATZEN: Put that; "snippy."
MS. BRANTON: I can't really speak for the companies that are not members
of my association. And I actually am relatively new to the issue, having
just picked it up late last year. But we are really trying to get out of
that, you know, black and white process. And we are putting some real
thought, and I hope it's creative thought. It's hard to tell this early.

We're looking at different types of solutions. I can't really talk about
anything yet. But we are definitely going down this path, because I think
we have recognized that, you know, it's just not going to work, these
groups fighting.

MS. KATZEN: Melanie?
MS. JANIN: A few points.

One is that, you know, there are -- they are under development: the IBM
Lotus development, the key escrow, the hardware manufacturers. So things
are changing, albeit slowly. But, I mean, it's understandable, you know.

It's what these companies do, it's their product lines, and a lot of this
stuff that we feel frustrated about not being able to export is available
internationally. And so, their market share is being taken away, and
that's a frustrating reality to them, and that's understandable.

But what Fiona said, and ITI and the U.S. Council are aligned on this, is
that a lot of the same -- not only companies, but the same members that are
active in the Council -- have recognized specifically key escrow as one
possible method of managing encryption keys. We now have a working group
on key escrow. We're putting together comments on the U.S. government's
key escrow criteria, and we hope to bring this dialogue into international
fora as well; into the International Chamber of Commerce, where we're the
U.S. affiliate there, and into the business committee of the OECD.

So I think we're working on it. And then also, as Mike said, when you're
dealing with these issues internationally, alternatives and discussion of
alternatives become complex, because you're dealing with terminology. In
the case of key escrow, there's a major taint against that terminology
abroad. It may seem insignificant to us, but it's very significant to
people outside the States.

So I just think it is -- and again, as Mike said, it's a really complex
issue, and I would never want to be in the government's shoes for the past
ten years, to be flogged time and time again by hundreds of industry
groups. So we'll do our best to try to help companies find alternatives.

MS. KATZEN: I think the purpose of our paper on the other two issues and
on this issue as well is to stimulate consciousness, to stimulate awareness
of the issues, to stimulate response in a constructive vein. You heard it
in the other two panels, where we're asking for serious input from the
private sector to help us solve what has to be considered to be a common
problem. I think nowhere is that more compelling than in this particular
tough nut to crack, and if we can get people to come to the table with a
receptiveness to talk to one another, then I think we're doing our part --
at least, we're trying to do our part within the government -- to convey
this to the private sector.

Final comments?
MR. NELSON: There are two pieces to the question to ask. The first one
is the big question; what new concepts do we bring? The other one is, how
do these companies develop actual products? If we're excited about key
escrow, we'd like to see some companies try to implement the kind of
schemes that we talked about.

MS. BRANTON: Well, assure them that there's a marketplace.

MR. NELSON: That's the question. It is a chicken and egg. They don't
build until they see they're going to make money. But is there any way we
can help spur the process -- research grants, guaranteed buys? What do we
do?
MS. BRANTON: Probably all of that kind of stuff would help. I don't
really know. That's the main hurdle right now.

MR. NELSON: It's really very frustrating. Companies that really could be
out there and solve this problem are not.

MS. KATZEN: Would you guys like to have the last word on this one?
(No response.)
MS. KATZEN: I hope everyone's fine.

Let me say this. There was a lot of discussion about putting these panels
together. We have received a lot of comments, and I was one who was not
all that sanguine that a great deal would come out of this. I have been
persuaded that it was not only a very useful effort, but I think a good
first step in the next set of steps. It reinforces, as I said, my view
that more dialogue rather than less is essential in this area.

I've been surprised a number of times today by how people have read things
we wrote. It wasn't how we meant them, folks. And they were nonetheless
fairly perceived -- I'm not being critical -- fairly perceived as saying
something entirely different. And I found myself wondering how often I've
misinterpreted things the private sector has said. So I believe that
dialogue works.

Our transcript will be ready whenever it's ready, and will be posted to an
Internet site so that people will have access to that. We'll try to keep
some of the witticisms in there -- no, actually, we'll scrape all those
out.

I want to thank our agency representatives and members of the government
for participating and being willing to be put on the spot. I want to thank
our volunteers from the private sector, some of whose arms were twisted. I
particularly want to thank Glenn Schlarman of my staff, Ed Springer and
Bruce McConnell, who were the people who did so much to organize this
effort. I refer you to them if you have any further comments or issues
you'd like to discuss.

OMB has taken, I think, a leadership role, particularly under Bruce's
efforts, to bring together the various groups who have roles to play in
this, and I thank all of you in the audience who have not otherwise been
commended. Because if it weren't for you, we would have long, long gone
away.

So thank you for your patience, your listening, and we hope to see you
soon. Thank you.

(Whereupon, at 3:25 p.m., the hearing in the above-entitled matter was
adjourned.)